Share

How Google Chrome Spent a Decade Making the Web More Secure

Sundar Pichai, then senior vice president of Chrome and Apps at Google Inc., speaks during the Google I/O conference in San Francisco, California, U.S., on June 28, 2012.

David Paul Morris/Bloomberg/Getty Images

A lot of people may find it hard to remember a time before Chrome. But as Google's browser hits its 10th birthday Tuesday, it's worth noting one under-appreciated source of its popularity: how it made the web more secure.

Google developers didn't invent every improvement that made Chrome a more secure alternative to established competitors like Internet Explorer and Safari when it debuted. But they did architect the service to combine crucial components in a new way, creating a noticeably safer and more reliable browsing experience.

"What are we getting into with Chrome? Perhaps Web 3.0," WIRED wrote on September 2, 2008, the day Chrome launched. "The way it manages tabs, the way it treats errors, its blinding speed ... there's no doubt this is a game changer in the world of web development."

Crucially, Chrome managed tabs in a new way; its "sandbox" made each one run with its own permissions and protected memory. That way if one tab crashed it didn't crash the whole browser, and if an attacker tried to attack a Chrome user, she wouldn't be able compromise more than one site at a time. For the first time, a browser functioned more like an operating system, running many isolated programs on a permission system, rather than as a single free-for-all program.

"When Chrome started out, the big threat was drive-by malware, and I think people forget how common it was in those days," says Justin Schuh, a principal engineer who has worked on Chrome since 2009. "If you didn’t have an up-to-date browser, or even in some cases if you did, you might browse to a site and get malicious code on your system and you wouldn't know how it happened. So the original design of Chrome had two big pieces: auto-updates to make sure you always had the most updated version, and the Chrome sandbox to make sure that if there was a vulnerability that could be exploited we could confine that within the sandbox."

'I will be very, very upset if three to five years from now password phishing is still something that we don’t feel we’ve largely solved.'

Justin Schuh, Chrome Engineer

These features that set Chrome apart in 2008 are now an industry standard, but at the time Google received criticism for its new browser's big bets. "There was a lot of resistance to auto-updates including from the Chrome security team itself—including from people who are actually on our team right now," says Parisa Tabriz, Chrome's director of engineering. "I remember one colleague thought auto-updates was the devil. He said it was taking away user choice, and put too much trust in one single point of failure. But now there’s been a huge shift in the industry that auto-update actually makes sense for browsers."

Chrome soon became known as the secure browser, and its original sandbox, combined with its phishing and malware protections from Google's Safe Browsing service, successfully protected users from most threats of the day. But as web hacking evolved and attackers moved away from drive-by downloads to rely more heavily on exploiting third-party components and services embedded in websites, Chrome scrambled to plug these other types of holes.

"We saw the most user compromises around 2011 and 2012," Tabriz says. "They were coming from third-party plugins that we couldn’t control like Flash. One of the interesting things about Chrome Security and the web overall is there’s a lot of partnership with other browsers. So Flash was a really powerful, cool, innovative technology, but also very proprietary and came with a lot of security problems. So we've moved to using an open standard with HTML5 that all the browsers can use."

Though Google is obviously aggressive about gaining Chrome users, and has built a whole ecosystem through Android that relies on Chrome, Schuh and Tabriz note that the browser is still underpinned by a massive open source project. And they add that in addition to publishing the code base, Chrome is also very intentionally developed in public, with contributors from around the world and discourse publicly visible in the Chromium forums. Google has even paid out more than $4.2 million through its bug bounty program to researchers who submit Chrome vulnerabilities.

"It's possible to open source things without having them be open development," Schuh says. "But our external wiki pages and mailing lists—anyone in the world can subscribe to them. And a lot of the people working on our projects, they’re not using corporate Google accounts, but independent Chromium accounts."

One crucial project over the last few years has been expanding the concept of the Chrome sandbox through a new feature called "site isolation." The mechanism silos web pages into different processes even more aggressively, making it harder for different web components and sites to steal user data from each other. Though the Chrome team originally envisioned this feature as a protection against various types of online crime and abuse, it ended up protecting against Meltdown and Spectre-type processing exploits as well.

A more recent focus: advocating for widespread use of encrypted connections on the web. After a few years of collaborating with others in the security community to encourage sites to use HTTPS over HTTP, Chrome flipped its in-browser messaging at the beginning of 2017 to call out sites that still weren't offering the protection. Where formerly sites with HTTPS were marked secure, Chrome changed to treat that as the norm and start marking sites that only used HTTP as insecure with a warning to users. Today 77 percent of all Chrome traffic is protected by HTTPS.

"HTTPS has been available for 20 years, yet the web has been almost entirely HTTP until fairly recently," says Adrienne Porter Felt, Chrome's engineering manager. "We could have changed the Chrome interface to tell everyone 'hey, your data isn’t safe.' It would have been true, but it also would have been really scary, and it wouldn’t have solved the problem. So we decided we’re going to help make the whole web encrypted. We worked with partners like Let’s Encrypt and Firefox and others to make HTTPS cheaper and easier to implement. It was a hard problem to tackle and we had a lot of skepticism even from within our own company initially."

Chrome's original auto-update naysayers who worried about overreach and a single point of failure foreshadowed the criticisms that have come to haunt Chrome's security initiatives again and again. As the browser has proliferated, the web community has grown increasingly wary of the service's power to influence standards and nudge developers to optimize sites for Chrome above other platforms.

For its 10th birthday, Chrome is debuting redesigns on desktop and mobile, streamlined tab management features, expanded settings personalization, and a feature called "Smart Answers" that Chrome says will instantly surface information in Chrome's "Omnibox" address bar before even opening any webpages. But looking farther ahead into the next 10 years, the team says it plans to add deeper AI and machine learning integrations—a trend across Google services—and incorporate more virtual reality and augmented reality tools for enhanced browsing.

'We decided we’re going to help make the whole web encrypted.'

Adrienne Porter Felt, Chrome Engineering Manager

The security team specifically plans to work on bringing site isolation to mobile browsing; the relatively constrained computing resources on smartphones makes it difficult. The group also plans to prioritize educating Chrome users about the browser's built-in password manager, which has existed for years but has largely flown under the radar since Chrome has so many other features to tout. Here, too, Chrome's dominance raises some questions; in-browser password managers have potential exposures and they aren't preferred by security experts. They might be better than nothing, but a dedicated password manager would be a safer bet.

Chrome engineers also say that bringing phishing under control remains a major priority. The effort combines Chrome's own scanning and monitoring with advocating that sites adopt best practices in credential management and web authentication. And Google is working to teach users about ways they can help protect themselves through measures like physical authentication tokens.

"Password phishing is a huge problem right now," Schuh says. "Everybody knows someone who’s gotten password phished, and it played a significant role in the 2016 election. I will be very, very upset if three to five years from now password phishing is still something that we don’t feel we’ve largely solved."

Perhaps most notably, the team says that its next HTTPS-scale project will be working to redesign how URLs are displayed on the web as part of an effort to reimagine identity online. The team says that if users have a better way to track which entities they're interacting with at a given time, they will be better able to make decisions about who to trust when and for what. But any effort to rework the URL ecosystem will inevitably be deeply divisive. "It’s just going to be really hard and controversial to make people step away from URLs as they are now," Tabriz says.

For better or worse, all its years of grappling with industry and community pushback has emboldened the Chrome security team to take on more and more expansive web ecosystem projects like this. And though it's generally been for the better so far, Chrome's reach combined with Google's general dominance mean the stakes are high for the next 10 years. The web community will be watching to see how much Chrome truly values pluralism as the service gains more and more control online.